Onapsis has found a large number of high risk vulnerabilities affecting Oracle E-Business Suite (EBS) platforms, which could allow attackers to access or modify sensitive business data and may be remotely executed without any authenticationETCIO | Updated: October 18, 2017, 09:38 IST

Boston - Bangalore: Onapsis, a global SAP and Oracle application cybersecurity and compliance expert said that it has discovered a large number of high risk vulnerabilities affecting Oracle E-Business Suite (EBS) platforms. If exploited these vulnerabilities could allow attackers to access or modify sensitive business data and may be remotely executed without any authentication.

In light of the recent Equifax breach and the cybersecurity keynotes at Oracle OpenWorld, these findings further highlight the need for patching.

“The message from Oracle to their customers was loud and clear: you need to make cybersecurity a top priority. At Onapsis we have been working directly with Oracle’s security teams to help protect one of the most critical applications, E-Business Suite. While we are making great progress, organizations still need to remain focused on applying patches at the business-critical application layer. This is a complex process and sometimes falls through cracks between IT, application and security teams,” said Mariano Nunez, CEO, Onapsis.

In Gartner’s “Hype Cycle for Application Security, 2017”¹ for the emerging category of Business-Critical Application Security, Analyst Neil MacDonald reports, “As financially motivated attackers turn their attention ‘up the stack’ to the application layer, business applications such as ERP, CRM and human resources are attractive targets. In many organizations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability. In other cases, systems are misconfigured, exposing these systems directly to the public internet and attackers. Publicly disclosed attacks are rare, so the problem remains largely ignored.”

Patching Guidance to Organizations for New VulnerabilitiesOnapsis is warning users of Oracle EBS versions 12.1 and 12.2 that are exposed to SQL Injection vulnerabilities which would allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.

“These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it. Critical business information could be stored in the system including invoices, purchase orders, HR information and design documents. Even systems in DMZ could be vulnerable. We see first hand how business-critical application vulnerabilities are different, and that's why Onapsis co-presented with Oracle at OpenWorld on the topic of patching Business-Critical Applications,” said JP Perez-Etchegoyen, CTO, Onapsis.

“While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization,” continued JP.

As the leading Oracle partner for cybersecurity, Onapsis Research Labs worked closely with Oracle’s Product Security & Engineering teams to help them develop the security patches to these vulnerabilities. Onapsis is directly responsible for finding 15 of the 24 (62.5%) total vulnerabilities to Oracle EBS released today in this quarter’s Oracle Critical Patch Update (CPU). Vulnerabilities to Oracle EBS are on the rise, with a 29% increase in 2017 year-to-date over the same period last year.

As part of its responsible disclosure policy, the Onapsis Research Labs will only release technical details of these vulnerabilities after it has been patched in order to confirm Oracle customers have what they need to secure these EBS systems. The Onapsis Research Labs has discovered and helped fix more than 200 vulnerabilities in Oracle business applications, has helped Oracle secure over 57% of all EBS vulnerabilities reported, and has released over 150 advisories to date.

Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

Sponsored Stories

Subscribe ETCIO Newsletter

Prasad Rai, Vice President, Applications, Oracle India speaks on how enterprise users can now migrate their ERP application to its cloud platform in a smarter, speedier and safer manner, and how it could be the last upgrade they will ever do.